TwoMillion exposes several vulnerabilities: an exposed invite-code mechanism for initial access, insecure API endpoints that allowed privilege escalation by granting admin rights, an admin endpoint vulnerable to command injection (RCE), exposed database credentials used to pivot to a user account, and a local kernel exploit enabling full root escalation.